From beeb6b3400181caaa8d057c6460a1b8b317ecb47 Mon Sep 17 00:00:00 2001
From: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no>
Date: Thu, 31 Jul 2025 16:37:51 +0200
Subject: [PATCH 1/3] manifest: Update sdk-zephyr and sdk-mcuboot

Include the VID and CID feature.

Ref: NCSDK-34175

Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no>
---
 west.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/west.yml b/west.yml
index 1cd9f57a2936..22bb8d51d61b 100644
--- a/west.yml
+++ b/west.yml
@@ -65,7 +65,7 @@ manifest:
     # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html
     - name: zephyr
       repo-path: sdk-zephyr
-      revision: d4d69a4a781859dd8691633988b6b8816b653dc9
+      revision: pull/3122/head
       import:
         # In addition to the zephyr repository itself, NCS also
         # imports the contents of zephyr/west.yml at the above
@@ -128,7 +128,7 @@ manifest:
           compare-by-default: true
     - name: mcuboot
       repo-path: sdk-mcuboot
-      revision: e1f2ab3806ce7ebc7ef34b3fc04272e747590745
+      revision: pull/486/head
       path: bootloader/mcuboot
     - name: qcbor
       url: https://github.com/laurencelundblade/QCBOR

From 8782a6251a0d862a73f33bf1207aef7670b231a9 Mon Sep 17 00:00:00 2001
From: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no>
Date: Tue, 2 Sep 2025 15:21:25 +0200
Subject: [PATCH 2/3] bootloader: Add basic UUID checks implementation

Provide an implementation for MCUboot UUID checks that specify a single,
common vendor identifier and a unique class identifier for each image.

Ref: NCSDK-34175

Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no>
---
 subsys/CMakeLists.txt                         |  1 +
 subsys/bootloader/Kconfig                     |  1 +
 subsys/bootloader/bl_uuid/CMakeLists.txt      | 61 ++++++++++++++++
 subsys/bootloader/bl_uuid/Kconfig             | 55 ++++++++++++++
 .../bootloader/bl_uuid/Kconfig.uuid.template  | 29 ++++++++
 subsys/bootloader/bl_uuid/bl_uuid.c           | 73 +++++++++++++++++++
 6 files changed, 220 insertions(+)
 create mode 100644 subsys/bootloader/bl_uuid/CMakeLists.txt
 create mode 100644 subsys/bootloader/bl_uuid/Kconfig
 create mode 100644 subsys/bootloader/bl_uuid/Kconfig.uuid.template
 create mode 100644 subsys/bootloader/bl_uuid/bl_uuid.c

diff --git a/subsys/CMakeLists.txt b/subsys/CMakeLists.txt
index 27ddef01503b..b42e4901628b 100644
--- a/subsys/CMakeLists.txt
+++ b/subsys/CMakeLists.txt
@@ -10,6 +10,7 @@ add_subdirectory_ifdef(CONFIG_IS_SECURE_BOOTLOADER bootloader)
 add_subdirectory_ifdef(CONFIG_SECURE_BOOT_CRYPTO bootloader/bl_crypto)
 add_subdirectory_ifdef(CONFIG_SECURE_BOOT_VALIDATION bootloader/bl_validation)
 add_subdirectory_ifdef(CONFIG_SECURE_BOOT_STORAGE bootloader/bl_storage)
+add_subdirectory(bootloader/bl_uuid)
 
 add_subdirectory_ifdef(CONFIG_NRF_SECURITY nrf_security)
 add_subdirectory_ifdef(CONFIG_TRUSTED_STORAGE trusted_storage)
diff --git a/subsys/bootloader/Kconfig b/subsys/bootloader/Kconfig
index b2b6e58eaf3e..75bfc83a38af 100644
--- a/subsys/bootloader/Kconfig
+++ b/subsys/bootloader/Kconfig
@@ -154,6 +154,7 @@ config NRF53_ENFORCE_IMAGE_VERSION_EQUALITY
 rsource "bl_crypto/Kconfig"
 rsource "bl_validation/Kconfig"
 rsource "bl_storage/Kconfig"
+rsource "bl_uuid/Kconfig"
 
 config MCUBOOT_COMPRESSED_IMAGE_SUPPORT_ENABLED
 	bool "MCUboot compressed image support"
diff --git a/subsys/bootloader/bl_uuid/CMakeLists.txt b/subsys/bootloader/bl_uuid/CMakeLists.txt
new file mode 100644
index 000000000000..4b5b411a995c
--- /dev/null
+++ b/subsys/bootloader/bl_uuid/CMakeLists.txt
@@ -0,0 +1,61 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+if(CONFIG_NRF_MCUBOOT_UUID_SINGLE_VID)
+  zephyr_library()
+
+  if(CONFIG_MCUBOOT_UUID_VID OR CONFIG_MCUBOOT_UUID_CID)
+    zephyr_library_sources(
+      bl_uuid.c
+      )
+  endif()
+
+  # Generate VID value and raw value definition
+  if(CONFIG_MCUBOOT_UUID_VID OR CONFIG_MCUBOOT_UUID_CID)
+    string(REGEX MATCHALL "^([0-9A-F][0-9A-F]|\-)+$" match_parts ${CONFIG_NRF_MCUBOOT_UUID_VID_VALUE})
+    if("${match_parts}" STREQUAL "${CONFIG_NRF_MCUBOOT_UUID_VID_VALUE}")
+      set(UUID_VID ${match_parts})
+    else()
+      set(UUID_DNS_NAMESPACE 6ba7b810-9dad-11d1-80b4-00c04fd430c8)
+      string(
+          UUID UUID_VID
+          NAMESPACE ${UUID_DNS_NAMESPACE}
+          NAME ${CONFIG_NRF_MCUBOOT_UUID_VID_VALUE}
+          TYPE SHA1 UPPER
+      )
+    endif()
+
+    # Convert UUID into C array.
+    string(REGEX REPLACE "([0-9A-F][0-9A-F])\-?" "0x\\1, " UUID_VID_RAW ${UUID_VID})
+    add_compile_definitions(NRF_MCUBOOT_UUID_VID_VALUE=${UUID_VID_RAW})
+  endif()
+
+  # Generate VID value(s) and raw value definition(s)
+  if(CONFIG_MCUBOOT_UUID_CID)
+    set(MCUBOOT_IMAGES_COUNT ${CONFIG_UPDATEABLE_IMAGE_NUMBER})
+    foreach(image_id RANGE ${MCUBOOT_IMAGES_COUNT})
+      if(CONFIG_NRF_MCUBOOT_UUID_CID_IMAGE_${image_id})
+        # Check if RAW UUID format is used
+        string(REGEX MATCHALL "^([0-9A-F][0-9A-F]|\-)+$" match_parts ${CONFIG_NRF_MCUBOOT_UUID_CID_IMAGE_${image_id}_VALUE})
+        if("${match_parts}" STREQUAL "${CONFIG_NRF_MCUBOOT_UUID_CID_IMAGE_${image_id}_VALUE}")
+          set(UUID_CID_IMAGE_${image_id} ${match_parts})
+        else()
+          # If not - generate UUID based on VID and CID values
+          string(
+              UUID UUID_CID_IMAGE_${image_id}
+              NAMESPACE ${UUID_VID}
+              NAME ${CONFIG_NRF_MCUBOOT_UUID_CID_IMAGE_${image_id}_VALUE}
+              TYPE SHA1 UPPER
+          )
+        endif()
+
+        # Convert UUID into C array.
+        string(REGEX REPLACE "([0-9A-F][0-9A-F])\-?" "0x\\1, " UUID_CID_IMAGE_${image_id}_RAW ${UUID_CID_IMAGE_${image_id}})
+        add_compile_definitions(NRF_MCUBOOT_UUID_CID_IMAGE_${image_id}_VALUE=${UUID_CID_IMAGE_${image_id}_RAW})
+      endif()
+    endforeach()
+  endif()
+endif()
diff --git a/subsys/bootloader/bl_uuid/Kconfig b/subsys/bootloader/bl_uuid/Kconfig
new file mode 100644
index 000000000000..488f01278f8e
--- /dev/null
+++ b/subsys/bootloader/bl_uuid/Kconfig
@@ -0,0 +1,55 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+if MCUBOOT_UUID_VID || MCUBOOT_UUID_CID
+
+menu "Vendor and image Class UUIDs"
+
+choice NRF_MCUBOOT_UUID_IMPLEMENTATION
+	prompt "UUID checks implementation"
+	default NRF_MCUBOOT_UUID_SINGLE_VID
+
+config NRF_MCUBOOT_UUID_SINGLE_VID
+	bool "Single VID and one CID per image"
+	help
+	  This implementation allows to specify a single, common Vendor UUID
+	  (VID) for all images and a unique Class UUID (CID) for each image.
+
+endchoice # NRF_MCUBOOT_UUID_IMPLEMENTATION
+
+if NRF_MCUBOOT_UUID_SINGLE_VID
+
+config NRF_MCUBOOT_UUID_VID_VALUE
+	string "Vendor name"
+	default ""
+	help
+	  The vendor unique identifier.
+	  The following formats are supported:
+	   - Domain name (i.e. amce.corp) used to generate RFC 9562 UUID5
+	     identifier.
+	   - Raw UUID (i.e. 12345678-1234-5678-1234-567812345678)
+	   - Raw HEX UUID (i.e. 12345678123456781234567812345678)
+
+if MCUBOOT_UUID_CID
+
+image=0
+rsource "Kconfig.uuid.template"
+image=1
+rsource "Kconfig.uuid.template"
+image=2
+rsource "Kconfig.uuid.template"
+image=3
+rsource "Kconfig.uuid.template"
+image=4
+rsource "Kconfig.uuid.template"
+
+endif # MCUBOOT_UUID_CID
+
+endif # NRF_MCUBOOT_UUID_SINGLE_VID
+
+endmenu
+
+endif # MCUBOOT_UUID_VID || MCUBOOT_UUID_CID
diff --git a/subsys/bootloader/bl_uuid/Kconfig.uuid.template b/subsys/bootloader/bl_uuid/Kconfig.uuid.template
new file mode 100644
index 000000000000..64e1d5593a56
--- /dev/null
+++ b/subsys/bootloader/bl_uuid/Kconfig.uuid.template
@@ -0,0 +1,29 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+if UPDATEABLE_IMAGE_NUMBER > $(image)
+
+config NRF_MCUBOOT_UUID_CID_IMAGE_$(image)_VALUE
+	string "Image class name (image $(image))"
+	default ""
+	help
+	  The image class unique identifier.
+	  The following formats are supported:
+	   - Image class name (i.e. nRF5340_door_lock_btperipheral).
+	     This format requires NRF_MCUBOOT_UUID_VID_VALUE to be defined
+	     as the VID UUID is used as the namespace for generating RFC 9562
+	     UUID5 identifier.
+	   - Raw UUID (i.e. 12345678-1234-5678-1234-567812345678)
+	   - Raw HEX UUID (i.e. 12345678123456781234567812345678)
+
+config NRF_MCUBOOT_UUID_CID_IMAGE_$(image)
+	bool
+	default y
+	depends on NRF_MCUBOOT_UUID_CID_IMAGE_$(image)_VALUE != ""
+	help
+	  Helper symbol to simplify the active CId list generation.
+
+endif # UPDATEABLE_IMAGE_NUMBER > $(image)
diff --git a/subsys/bootloader/bl_uuid/bl_uuid.c b/subsys/bootloader/bl_uuid/bl_uuid.c
new file mode 100644
index 000000000000..31445dc581d8
--- /dev/null
+++ b/subsys/bootloader/bl_uuid/bl_uuid.c
@@ -0,0 +1,73 @@
+/*
+ *  Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ */
+#include <bootutil/mcuboot_uuid.h>
+
+#define IMAGE_ID_COUNT CONFIG_UPDATEABLE_IMAGE_NUMBER
+#define CID_INIT(index, label) \
+        static const struct image_uuid label = {{ \
+                NRF_MCUBOOT_UUID_CID_IMAGE_## index ##_VALUE \
+        }}
+#define CID_CONFIG(index) UTIL_CAT(CONFIG_NRF_MCUBOOT_UUID_CID_IMAGE_, index)
+#define CID_DEFINE(index, prefix) \
+        IF_ENABLED(CID_CONFIG(index), (CID_INIT(index, prefix##index)))
+
+#define CID_CONDITION(index, label) \
+        if (image_id == index) { \
+                *uuid_cid = &label; \
+                FIH_RET(FIH_SUCCESS); \
+        }
+#define CID_CHECK(index, prefix) \
+        IF_ENABLED(CID_CONFIG(index), (CID_CONDITION(index, prefix##index)))
+
+static fih_ret boot_uuid_compare(const struct image_uuid *uuid1, const struct image_uuid *uuid2)
+{
+        return fih_ret_encode_zero_equality(memcmp(uuid1->raw, uuid2->raw,
+                                            ARRAY_SIZE(uuid1->raw)));
+}
+
+#ifdef CONFIG_MCUBOOT_UUID_CID
+LISTIFY(IMAGE_ID_COUNT, CID_DEFINE, (;), uuid_cid_image_);
+
+static fih_ret boot_uuid_cid_get(uint32_t image_id, const struct image_uuid **uuid_cid)
+{
+        if (uuid_cid != NULL) {
+                LISTIFY(IMAGE_ID_COUNT, CID_CHECK, (), uuid_cid_image_)
+        }
+
+        FIH_RET(FIH_FAILURE);
+}
+#endif /* CONFIG_MCUBOOT_UUID_CID */
+
+fih_ret boot_uuid_init(void)
+{
+        FIH_RET(FIH_SUCCESS);
+}
+
+#ifdef CONFIG_MCUBOOT_UUID_VID
+fih_ret boot_uuid_vid_match(uint32_t image_id, const struct image_uuid *uuid_vid)
+{
+        const struct image_uuid uuid_vid_c = {{
+                NRF_MCUBOOT_UUID_VID_VALUE
+        }};
+
+        return boot_uuid_compare(uuid_vid, &uuid_vid_c);
+}
+#endif /* CONFIG_MCUBOOT_UUID_VID */
+
+#ifdef CONFIG_MCUBOOT_UUID_CID
+fih_ret boot_uuid_cid_match(uint32_t image_id, const struct image_uuid *uuid_cid)
+{
+        FIH_DECLARE(ret_code, FIH_FAILURE);
+        const struct image_uuid *exp_uuid_cid = NULL;
+
+        FIH_CALL(boot_uuid_cid_get, ret_code, image_id, &exp_uuid_cid);
+        if (FIH_NOT_EQ(ret_code, FIH_SUCCESS) && FIH_NOT_EQ(ret_code, FIH_FAILURE)) {
+                FIH_RET(FIH_FAILURE);
+        }
+
+        return boot_uuid_compare(uuid_cid, exp_uuid_cid);
+}
+#endif /* CONFIG_MCUBOOT_UUID_CID */

From 6e0f4f452ab45116a9277fcfa2db7d1e894e139c Mon Sep 17 00:00:00 2001
From: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no>
Date: Thu, 31 Jul 2025 16:42:01 +0200
Subject: [PATCH 3/3] sample: Enable VID and CID checks

Enable VID and CID checks inside smp_svr sample for nRF54H20.

Ref: NCSDK-34175

Signed-off-by: Tomasz Chyrowicz <tomasz.chyrowicz@nordicsemi.no>
---
 samples/zephyr/subsys/mgmt/mcumgr/smp_svr/prj.conf          | 5 +++++
 .../subsys/mgmt/mcumgr/smp_svr/sysbuild/ipc_radio.conf      | 4 ++++
 .../zephyr/subsys/mgmt/mcumgr/smp_svr/sysbuild/mcuboot.conf | 6 ++++++
 3 files changed, 15 insertions(+)
 create mode 100644 samples/zephyr/subsys/mgmt/mcumgr/smp_svr/sysbuild/ipc_radio.conf
 create mode 100644 samples/zephyr/subsys/mgmt/mcumgr/smp_svr/sysbuild/mcuboot.conf

diff --git a/samples/zephyr/subsys/mgmt/mcumgr/smp_svr/prj.conf b/samples/zephyr/subsys/mgmt/mcumgr/smp_svr/prj.conf
index 925ac0c93a27..cb0cbf076379 100644
--- a/samples/zephyr/subsys/mgmt/mcumgr/smp_svr/prj.conf
+++ b/samples/zephyr/subsys/mgmt/mcumgr/smp_svr/prj.conf
@@ -39,3 +39,8 @@ CONFIG_MCUBOOT_UTIL_LOG_LEVEL_WRN=y
 
 # Disable debug logging
 CONFIG_LOG_MAX_LEVEL=3
+
+CONFIG_MCUBOOT_IMGTOOL_UUID_VID=y
+CONFIG_MCUBOOT_IMGTOOL_UUID_VID_NAME="nordicsemi.com"
+CONFIG_MCUBOOT_IMGTOOL_UUID_CID=y
+CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME="nRF54H20_sample_app"
diff --git a/samples/zephyr/subsys/mgmt/mcumgr/smp_svr/sysbuild/ipc_radio.conf b/samples/zephyr/subsys/mgmt/mcumgr/smp_svr/sysbuild/ipc_radio.conf
new file mode 100644
index 000000000000..85ae6040c56a
--- /dev/null
+++ b/samples/zephyr/subsys/mgmt/mcumgr/smp_svr/sysbuild/ipc_radio.conf
@@ -0,0 +1,4 @@
+CONFIG_MCUBOOT_IMGTOOL_UUID_VID=y
+CONFIG_MCUBOOT_IMGTOOL_UUID_VID_NAME="nordicsemi.com"
+CONFIG_MCUBOOT_IMGTOOL_UUID_CID=y
+CONFIG_MCUBOOT_IMGTOOL_UUID_CID_NAME="nRF54H20_sample_rad"
diff --git a/samples/zephyr/subsys/mgmt/mcumgr/smp_svr/sysbuild/mcuboot.conf b/samples/zephyr/subsys/mgmt/mcumgr/smp_svr/sysbuild/mcuboot.conf
new file mode 100644
index 000000000000..94da076b8c5b
--- /dev/null
+++ b/samples/zephyr/subsys/mgmt/mcumgr/smp_svr/sysbuild/mcuboot.conf
@@ -0,0 +1,6 @@
+CONFIG_MCUBOOT_UUID_VID=y
+CONFIG_NRF_MCUBOOT_UUID_VID_VALUE="nordicsemi.com"
+
+CONFIG_MCUBOOT_UUID_CID=y
+CONFIG_NRF_MCUBOOT_UUID_CID_IMAGE_0_VALUE="nRF54H20_sample_app"
+CONFIG_NRF_MCUBOOT_UUID_CID_IMAGE_1_VALUE="nRF54H20_sample_rad"